Mandiant Threat Intelligence 2.0.0
App Vendor: Mandiant Threat Intelligence
App Category: Analytics & SIEM
Connector Version: 2.0.0
API Version: v4
About App
Mandiant threat intelligence gives security practitioners unparalleled visibility and expertise into threats that matter to their business right now. Threat intelligence can be delivered as a technology, operated side-by-side with your team, or fully managed by mandiant experts.
The Mandiant Threat Intelligence app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Generic Action | This is a generic action to perform any additional use case that you want on mandiant threat intelligence by making a request to any endpoint. |
Get All Malware Families | This action returns all the malware families. |
Get Indicator by Value | This action returns an indicator by the given indicator value. |
Get Malware Family | This action returns detailed information for the malware family ID or malware family name. |
Get Report by ID | This action returns the full content of the report specified in the ID in JSON format. |
Get Vulnerability by CVE ID | This action returns vulnerability by CVE ID. |
List Indicators by Malware | This action returns the list of indicators for a given malware. |
Search Indicators by Value | This action searches for indicators by the given value. |
Search Query | This action returns intelligence matching a defined query, including threat actors, malware families, indicators, vulnerabilities, and finished intelligence reports. |
Configuration Parameters
The following configuration parameters are required for the Mandiant Threat Intelligence app to communicate with the Mandiant Threat Intelligence enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the API key to authenticate. | Password | Required |
|
API Secret | Enter the API secret to authenticate. | Password | Required |
|
Verify | Choose your preference to verify SSL while making requests. | Boolean | Optional | Default value: True |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Mandiant Threat Intelligence. | Integer | Optional | Available range: 15-120 seconds Default value: 15 seconds |
Action: Generic Action
This is a generic action to perform any additional use case that you want on mandiant threat intelligence by making a request to any endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make a request. | Text | Required | |
Endpoint | Enter the endpoint to make the request. Example: /api/vulnerabilities/{cve_id} | Text | Required | |
Query params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra fields | Enter the extra fields to pass to the API. | Key Value | Optional |
Action: Get All Malware Families
This action returns all the malware families.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the maximum number of results to return. | Integer | Optional | Default value: 5000 |
Offset | Enter the number of items to skip before starting to collect the result set. | Integer | Optional | If not specified, defaults to zero (0). The maximum amount of items that can be fetched using an offset and limit is 10,000. (the offset + limit must be <= 10,000). |
Example Request
[
{}
]Action: Get Indicator by Value
This action returns an indicator by the given indicator value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator type | Enter the type of indicator to return. This must match the value provided in the indicator value parameter. | Text | Required | Allowed values:
|
Indicator value | Enter the value of the indicator to return. This must match the type provided in the indicator type parameter. Example: 1.1.1.1, emotet, 324543352-54637. | Text | Required |
Example Request
[
{
"indicator_type": "ipv4",
"indicator_value": "47.251.11.230"
}
]Action: Get Malware Family
This action returns detailed information for the malware family ID or malware family name.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Id or name | Enter the ID or name of the malware family to return. Example: emotet, apt4. | Text | Required |
Example Request
[
{
"id_or_name": "emotet"
}
]Action: Get Report by ID
This action will return the full content of the report specified in the id in json format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Report id | Enter the report id. example: 22-00006668 | Text | Required |
Example Request
[
{
"report_id": "22-00006668"
}
]Action: Get Vulnerability by CVE ID
This action will return vulnerability by CVE ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cve id | Enter the CVE ID of the vulnerability. | Text | Required | |
Rating types | Enter the rating types as a comma-separated field. | Text | Optional | Allowed values:
|
Fields | Enter the fields returned from the list vulnerabilities response as comma-separated values. | Text | Optional | Allowable response fields: All fields in GET Vulnerability by ID response schema. Default Values:
|
Example Request
[
{
"cve_id": "CVE-2022-28267"
}
]Action: List Indicators by Malware
This action returns the list of indicators for a given malware.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Id | Enter the ID of the malware family to return. Example: malware--81f821d1-4ec9-534d-8dc7-53da47e5074a. | Text | Required | |
Limit | Enter the maximum number of results to return. | Integer | Optional | Maximum allowed value: 1000 Default value: 25 |
Offset | Enter the number of items to skip before starting to collect the result set. | Integer | Optional | if not specified, defaults to zero (0). The maximum amount of items that can be fetched using an offset and limit is 10,000. (the offset + limit must be <= 10,000). |
Example Request
[
{
"id": "malware--bf69c98d-74a5-5a37-92c6-1fb5a4bc8cb9"
}
]Action: Search Indicators by Value
This action searches for indicators by the given value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator values | Enter the list of indicators to search. Example: 1.1.1.1, emotet, 324543352-54637. | List | Required |
Action: Search Query
This action returns intelligence matching a defined query, including threat actors, malware families, indicators, vulnerabilities, and finished intelligence reports.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search | Enter the search query | Text | Required | |
Limit | Enter the maximum number of results to return. | Integer | Optional | Default: 50 Allowed value: Maximum 1000 |
Sort by | Enter the sort by values. Example: "created", "modified", "published", "title", "id", "score" | List | Optional | |
Sort order | Enter the sort order value. | Text | Optional | Allowed values:
|
Type | Enter the type of objects to search. | Text | Optional | Allowed values:
|
Next page id | Enter the next page id to fetch the remaining results | Text | Optional | |
Poll all | Enter true to poll all the data. | Boolean | Optional | Allowed values:
Default value: False |
Example Request
[
{
"type": "all",
"limit": "10",
"search": "APT41",
"poll_all": true
}
]